Add rbac removal for when auth with proxy

[mlbiam]

Changes

Updated docs with RBAC for least privileged access when using a reverse proxy for authentication

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

• [x ] Docs included if any changes are user facing
• Tests included if any functionality added or changed
• Follows the commit message standard
• Meets the Tekton contributor standards (including
  functionality, content, code)

See the contribution guide
for more details.

[linux-foundation-easycla]

The committers are authorized under a signed CLA.

• ✅ Marc Boorshtein (7d5ff47)

[tekton-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign alangreene
You can assign the PR to them by writing /assign @alangreene in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tekton-robot]

Hi @mlbiam. Thanks for your PR.

I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[AlanGreene]

Thanks for the PR @mlbiam
/ok-to-test

[AlanGreene]

nit:

Suggested change

	When using a reverse proxy, with impersonation headers or the user's account, you should remove the dashboard's privileges to better maintain a "least privileged" approach. This will make it less likely that the dashboard's `ServiceAccount` will be abused:
	When using a reverse proxy, with impersonation headers or the user's account, you should remove the Dashboard's privileges to better maintain a "least privileged" approach. This will make it less likely that the Dashboard's `ServiceAccount` will be abused:

[AlanGreene]

Maybe we should consider adding a label to these resources to more easily target them for deletion and avoid having to keep this list up to date. What do you think? e.g. rbac.dashboard.tekton.dev/default: true or similar so we could kubectl delete clusterrole -l rbac.dashboard.tekton.dev/default=true etc.

Technically only the bindings need to be deleted, so maybe rbac.dashboard.tekton.dev/subject: tekton-dashboard or similar would be more suitable on those, to make it clear we're removing the default permissions granted the Dashboard's SA.

I think we'll likely add an additional manifest (or at least an installer script flag) in future to install the Dashboard without these resources. This would probably make sense as part of the remaining work to improve the experience with custom RBAC, impersonation, etc.

[AlanGreene]

Thanks again for the PR @mlbiam. I've opened a new PR #2309 implementing my suggestion from above and added you as a co-author. Closing this one.